How to avoid ransomware attacks: Lessons from Baltimore, Atlanta and other cities

    June 11, 2019

    By Asher de Metz

    Baltimore estimates that its ongoing ransomware attack will cost $18.2 million in recovery costs and delayed and lost revenue. The city has already spent $4.6 million on recovery in the four weeks since hackers encrypted files and took down voicemail, email and other critical city systems.

    The attack is drawing comparisons to other high-profile ransomware attacks on city governments. In 2018, Atlanta was shut down by ransomware that could end up costing the city $17 million. Greenville, North Carolina, is a more recent victim, and is still recovering from an April ransomware attack more than a month later.

    There have been at least 169 ransomware attacks on state and local municipalities since 2013, a number that’s likely on the low side given that attacks aren’t always publicised. With new ransomware variants arising, including some that infect systems even when no one clicks on a link in a phishing email, it’s only a matter of time before there are more victims.

    Even if you’re not a city government, this should be a wake up call: Organisations need to take steps now before they come to work one day to find their devices locked down and their data encrypted. Here are a few basic ideas on how to get ahead of ransomware:


    1. Back up. Regularly back up your critical data. The frequency depends on the nature of the data. For some businesses, you might need snapshots every hour. For others, once a day is more than enough. Separate those backups from the rest of your network so they won’t get locked down along with your other data and devices if you’re infected with ransomware.
    2. Segment. Segment your networks so that if one segment gets hit, it can be cut off from the rest of your network to prevent the ransomware from spreading. It is also important to segment Active Directory (AD) so that it is harder for ransomware to propagate from less critical AD networks to more critical AD networks.
    3. Patch and harden. Have a solid vulnerability management program, remove software such as PowerShell from workstations, remove local admin accounts, remove admin rights and install rights from users, and stop the caching of credentials.
    4. Keep your eyes open. You can spot known ransomware using file-integrity monitoring, security information and event management (SIEM) and other services.
    5. Test, test, test. Test your disaster recovery plan and processes regularly to make sure they will hold up under a real-world attack. You don’t want to discover that your backups are out of date or you can’t recover from them when you’re under attack.
    6. Educate. Perhaps most importantly, educate your employees on how to spot and report phishing emails before they click any suspicious links. While not every strain of ransomware works this way, having knowledgeable employees as a first line of defense eliminates certain threats.

    How to recover from a ransomware attack

    Organisations that have taken these steps need only to shut down the infected devices or segment, recover from the backups and go back to work.

    For organisations that have already been hit and haven’t taken the necessary precautions, there are often just a few options, and none of them are great.

    The first option is paying the hackers’ ransom request, usually in cryptocurrency. Most cities and municipalities have refused to do this — only 17% have admitted to paying the ransom. Paying is almost always a bad idea, as it tells the hackers you’re willing to pay and essentially puts a target on your back for future attacks.

    The other option is to recover the infected systems and rebuild systems from scratch, a process that can take weeks in some cases. To gain the resources needed for that undertaking, some victims have declared a disaster. When the Colorado Department of Transportation had 2,000 computers encrypted by ransomware in early 2018, the Colorado Office of Information Technology issued a disaster declaration to elevate the attack to the level of a natural disaster, which gave the department access to the Colorado National Guard’s cybersecurity unit, logistics teams and other resources.

    For businesses that don’t have those government resources, working with an experienced partner gives them the option gain access to expert resources and expedite a return to business as usual. But again, engaging with a partner is a step to take before you become the next victim of ransomware.

    What are you doing to protect your data and your business?

    Information Security Consulting


    Protect your data - and your business. Our information security consulting practice is one of the few that can deliver all the components of a comprehensive information security system.

    Learn more


    Other Posts You Might Be Interested In

    Cybersecurity Basics: How Local Governments Can Avoid Ransomware Attacks

    Baltimore has already spent $18.2 million in recovery and other costs after a ransomware attack in May. A school district in upstate New York recently delayed...

    3 ways to defuse the threat of ransomware

    By Dan Muse Any cyber-attack makes IT pros shudder, but ransomware adds an extra element by its very nature – after all, you are not only attacked, but held hostage....

    Ransomware: To Pay or Not to Pay

    According to the FBI, there were an average of 4,000 ransomware attacks per day in 2016, representing a 300% increase from 2015. 1 The FBI expects ransomware payments for...